Wednesday, June 6, 2018

Windows 10 – Updating Trusted Root Certificates List

Now, it uses the Windows Update services to do this, and this can be an issue for some enterprises with machines that don’t have Internet access or if you disabled Windows Update in your environment.

Also, if you want to look at this in a different way, it allows you as a SysAdmin to completely control which certificates are allowed or not in your environment.

So, here’s a quick procedure on how you can update that the TRCL without Windows Update enabled:

Downloading Updated TRCL

On a machine with Internet access run the following command:certutil –generateSSTFromWU roots.sst

Then grab that file and create a package with your endpoint management software (ex.: SCCM)

Installing the Updated TRCL

Now that you have generated your SST file, you just need to import the certificates to your machines.

For this one, the easiest way is to create a powershell script with the following line:$sst_file = (Get-ChildItem –Path C:\roots.sst)$sst_file | Import-Certificate –CertStoreLocation Cert:\LocalMachine\Root